SECURITY FAQ

Protego collects application behavior metadata only. Nonetheless, even this metadata can potentially contain sensitive information, especially about the topology and operation of the customers’ application, therefore all data is encrypted both in transit and at rest.

No customer data leaves the customer sub-account. However, Protego does collect anonymous behavioral statistics to help tune detection models across accounts. We take several steps to ensure that we collect data that is related to the application behavior, without collecting end-customer data or sensitive information.

Protego requires several permissions in order to be able to provide protection for the account. However, we do not require permission on all the resources. A complete list of required permissions is detailed in our Cross-Account Permissions document.

By default no. However, if you would like Protego to apply automatic fixes for security bugs in your code, all you have to do is provide the necessary permissions and request the fix via the dashboard plugin or through API.

No, the static analysis executes within the confines of the customer account. Customer code and intellectual property never leave the customer account and is not accessible in the Protego backend at any given time.

Protego Labs uses Amazon Web Services which are SAS70 and PCI compliant. All data is encrypted in transport and at rest. In addition, Protego Labs conducts annual penetration tests performed by a certified 3rd party and adheres to the highest information security industry standards.

Data is retained according to an account retention policy. Basic accounts typically store data for 30 days. Paid accounts store data for 1 year unless otherwise mutually agreed with customers. Data retention is implemented using S3 and DynamoDB TTL settings. Additionally, a periodic housekeeping operation is implemented to ensure data has been erased according to policy.

All data is encrypted in transport via TLSv1.2. Data at rest is encrypted using Amazon KMS cryptography with an HSA Backing Key which is stored encrypted under the AWS Domain Keys. All encryption keys are rotated regularly.

As a security company, we are security oriented and we make sure our releases are impregnable to malicious attacks. Each release cycle is accompanied by a barrage of manual and automatic QA tests (as detailed in the Product Testing E2E and Unittest Test Plans, available with NDA) to ensure no security breach is present in any official release. Additionally, once a year a full and comprehensive penetration test is conducted by a certified 3rd party to ensure there are no security vulnerabilities.

The primary source for vulnerabilities we use is the NIST database and updates are automatically processed daily via the CVE-Modified data-feed API. Additionally, our research group will trigger more frequent updates as necessary if some specific high-risk vulnerabilities become known.

For selected customers, Protego can be deployed in a sub-account inside the customers cloud account. This can help simplify compliance with internal and external regulation. In this case, Protego will create a cross-account role that enable management and upgrade of this sub-account, but be assured at no time will data leave the customer account to Protego’s account.

Should you still have any questions whatsoever, know that we will be happy to answer them. You can reach us any time at [email protected]

Protego’s serverless security technology leverages the new opportunities provided by serverless, helping you achieve control over your apps. The SaaS solution lets you get a handle on your growing serverless environment in less than 20 min.